SOLVED Can emails be sent outbound other than with smtp?

[jeffschips]

Hello. I frequently monitor outbound email that uses a php script (phplist) and exim to send it out. However, if - and it's a big if - an account gets compromised, is there a way for someone to also send out emails say "under the radar" that are not included in domain email logs?

Thanks.

 

[quietFinn]

If you have SMTP Restrictions enabled then users can't send emails directly to remote mail servers.

"This feature prevents users from bypassing the mail server to send mail, a common practice used by spammers.
It will allow only the MTA, mailman, and root to connect to remote SMTP servers. "

If you use CSF there is same feature, SMTP_BLOCK

"Block outgoing SMTP except for root, exim and mailman (forces scripts/users
to use the exim/sendmail binary instead of sockets access). This replaces the
protection as WHM > Tweak Settings > SMTP Tweaks "

You should not enable both.

 

[jeffschips]

Thanks for that information @quietFinn - very useful.

I do have SMTP Restrictions ON in cpanel and off in CSF.

I noticed another switch, SMTP_ALLOWLOCAL which is ON. Wondering if that simply allows users in their cpanel email accounts to send mail. Is that what it's for? I don't really understand that one.

If SMTP_BLOCK is enabled but you want to allow local connections to port 25
on the server (e.g. for webmail or web scripts) then enable this option to
allow outgoing SMTP connections to the loopback device
SMTP_ALLOWLOCAL =

 

[quietFinn]

I noticed another switch, SMTP_ALLOWLOCAL which is ON. Wondering if that simply allows users in their cpanel email accounts to send mail. Is that what it's for? I don't really understand that one.

It allows users in the server to connect to port 25 in the server, for example a script can send mails, but only using Exim in the server.

 

[jeffschips]

Ah, I see. So that would be of use if, for example, a user has a mail script that notifies them of certain activity. Kind of like a home-brew script that a user could write. And even then, it must use Exim so there would be record of the outbound connection, etc. for review. Correct?

 

[quietFinn]

Ah, I see. So that would be of use if, for example, a user has a mail script that notifies them of certain activity. Kind of like a home-brew script that a user could write. And even then, it must use Exim so there would be record of the outbound connection, etc. for review. Correct?

Yes, all emails sent by normal users must go through the local Exim.
That's pretty much standard configuration, SMTP_BLOCK & SMTP_ALLOWLOCAL both ON

 

[jeffschips]

SOLVED: thanks for the excellent and prompt feedback. Much appreciated.

 

[cPRex]

Thanks @quietFinn !!!